tessl-labs/springboot-security-basics
Security defaults that belong in every Spring Boot application from day one.
88
1.79x
Quality
83%
Does it follow best practices?
Impact
97%
1.79xAverage score across 5 eval scenarios
Securityby
Passed
No known issues
cors-configured.jsonverifiers/
{
"instruction": "Configure CORS in SecurityFilterChain with explicit allowed origins",
"relevant_when": "Agent creates or modifies a Spring Boot application that will be accessed from a browser on a different origin",
"context": "CORS must be configured within the SecurityFilterChain using http.cors() with a CorsConfigurationSource bean, so preflight requests are handled by Spring Security. Configuring CORS only in WebMvcConfigurer without security integration causes preflight failures. Never use allowedOrigins(\"*\") -- always set explicit origins from configuration or environment.",
"sources": [
{
"type": "file",
"filename": "skills/springboot-security-basics/SKILL.md",
"tile": "tessl-labs/springboot-security-basics@0.2.0"
}
],
"checklist": [
{
"name": "cors-in-security-chain",
"rule": "Agent configures CORS within the SecurityFilterChain using http.cors() with a CorsConfigurationSource, not only in WebMvcConfigurer",
"relevant_when": "Agent creates or modifies a Spring Boot application with Spring Security"
},
{
"name": "cors-explicit-origins",
"rule": "Agent sets explicit allowed origins (not \"*\") from configuration properties or environment variables",
"relevant_when": "Agent configures CORS for a Spring Boot application"
},
{
"name": "cors-methods-restricted",
"rule": "Agent specifies allowed HTTP methods rather than allowing all methods with \"*\"",
"relevant_when": "Agent configures CORS for a Spring Boot application"
}
]
}evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
skills
springboot-security-basics
verifiers